You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Audit and harden the SHA512 update step in the release automation of all 8 kcenon systems so that an archive's actual SHA is verified against sha512sum of the GitHub release archive before the new value is committed to the vcpkg overlay registry.
Current: Release workflows (presumably chore: automate portfile SHA512 on release #643-derived) write SHA512 to kcenon/vcpkg-registry/ports/<port>/portfile.cmake without verifying against the actual archive at https://github.com/<repo>/archive/refs/tags/v<version>.tar.gz. All 8 ports were silent-broken as of 2026-05-03. Weekly vcpkg-consume-test.yml PASSED throughout because vcpkg's archive cache hits sidestep SHA verification.
Expected: Every release writes a SHA512 only after curl + sha512sum confirms the value. Mismatch fails the release. Consumers never see a stale SHA.
Scope: Cross-repo. 8 system release workflows + the vcpkg-registry consume-test workflow.
Audit (kcenon/vcpkg-registry#87 and PR #88) confirmed all 8 ports had the same class of mismatch — not a per-system oversight, a systemic flaw in the release automation.
vcpkg's archive cache silently masks SHA mismatch in subsequent installs (cache hit skips re-verification). New cold-cache consumers (new CI runners, new users) hit 100% install failure on every kcenon port.
This is exactly the failure class that prevents adoption — it works for maintainers, fails for new users, and the existing test infrastructure doesn't surface it.
force --no-binary-caching (or equivalent) so SHA mismatch surfaces
How
Recommended verification snippet (bash)
# Verify computed SHA against the actual GitHub archive before committing
TAG="$1"# e.g., v0.2.0
REPO="$2"# e.g., kcenon/common_system
NEW_SHA="$3"# value the workflow is about to write to portfile.cmake
ARCHIVE_URL="https://github.com/${REPO}/archive/refs/tags/${TAG}.tar.gz"
ACTUAL_SHA=$(curl -fsSL "$ARCHIVE_URL"| sha512sum | awk '{print $1}')if [ "$NEW_SHA"!="$ACTUAL_SHA" ];thenecho"ERROR: SHA mismatch — workflow computed $NEW_SHA, archive has $ACTUAL_SHA">&2exit 1
fi
This step should run AFTER the workflow computes the new SHA and BEFORE committing the portfile change. It catches both (a) wrong archive form (zipball vs tar.gz), (b) GitHub archive endpoint drift, and (c) hand-edits without verification.
Acceptance criteria
All 8 system release workflows include a "verify SHA against actual archive" step
What
Audit and harden the
SHA512update step in the release automation of all 8 kcenon systems so that an archive's actual SHA is verified againstsha512sumof the GitHub release archive before the new value is committed to the vcpkg overlay registry.SHA512tokcenon/vcpkg-registry/ports/<port>/portfile.cmakewithout verifying against the actual archive athttps://github.com/<repo>/archive/refs/tags/v<version>.tar.gz. All 8 ports were silent-broken as of 2026-05-03. Weeklyvcpkg-consume-test.ymlPASSED throughout because vcpkg's archive cache hits sidestep SHA verification.SHA512only aftercurl + sha512sumconfirms the value. Mismatch fails the release. Consumers never see a stale SHA.Why
kcenon/vcpkg-registry/ports/kcenon-common-system/portfile.cmakewas7385ba3a073fea06...but the actualv0.2.0archive's SHA512 isac458878395dbac6....Where
--no-binary-caching(or equivalent) so SHA mismatch surfacesHow
Recommended verification snippet (bash)
This step should run AFTER the workflow computes the new SHA and BEFORE committing the portfile change. It catches both (a) wrong archive form (zipball vs tar.gz), (b) GitHub archive endpoint drift, and (c) hand-edits without verification.
Acceptance criteria
--no-binary-cachingor runner-cleanup)Sub-issues to create
Risk
curl + sha512sumverification — negligibleRelated